public/file.te: add 'allow proc_net proc:filesystem associate'
Per http://cs/aosp-master/system/sepolicy/private/genfs_contexts?l=21
genfscon proc /net u:object_r:proc_net:s0
/proc/net/... portion of proc should be 'proc_net' not the default of 'proc'
For example on a bonito:
$ adbb shell ls -alZd /proc /proc/net/xt_quota
dr-xr-xr-x 757 root root u:object_r:proc:s0 0 1969-12-31 16:00 /proc
dr-xr-xr-x 2 root root u:object_r:proc_net:s0 0 2020-10-20 11:02 /proc/net/xt_quota
This already mostly works, but occasionally on 4.19 devices we see
(apparently spurious) denials (my gut feeling is kernel behaviour
changed and/or is racy):
[ 37.434457] type=1400 audit(1574821413.359:2102): avc: denied { associate } for comm="Binder:762_1" name="globalAlert" scontext=u:object_r:proc_net:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=1
Presumably caused by a binder rpc into netd:
http://cs/aosp-master/system/netd/server/BandwidthController.cpp?l=635&rcl=cdd79f13c670605819333de2d7b67d7f8a42210c
Things seem to work anyway, presumably because eventually it does somehow
get set to 'proc_net' anyway...
This patch will allow the removal of:
allow proc_net proc:filesystem { associate };
and
dontaudit proc_net proc:filesystem associate;
from device specific configs.
Bug: 145579144
Bug: 170265025
Test: treehugger will
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46294d8b1526e846a5eddb350adf51c76634b8f1
1 file changed